From 6dba1f2d0b577620593c57df9e2dc9e9b59c7804 Mon Sep 17 00:00:00 2001 From: Dominik Mizyn Date: Mon, 16 Dec 2019 15:38:17 +0100 Subject: Encryption and decryption of OpenStack Passwords removed Description from Jira ticket: Current way of passing OpenStack password to SO is to encrypt it with a symmetric key that can be find in both OOM repo and source code. This means that the key is already compromised and this additional encryption does not introduce any additional security layer. Additionally this creates a fake security feeling for people who are not very familiar with the cryptography as they may think that their password is safe because it has been encrypted. Instead of using some custom-made method of passing this password please just use a secret and pass it via environment variable unencrypted and just never store it in a config file Issue-ID: SO-2535 Change-Id: Iaad50d7d22fe0fc1e3f7e8c5c5cd3a788d777574 Signed-off-by: Dominik Mizyn --- common/src/main/java/org/onap/so/utils/CryptoUtils.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/common/src/main/java/org/onap/so/utils/CryptoUtils.java b/common/src/main/java/org/onap/so/utils/CryptoUtils.java index ff69e3e4b1..1c38dfb774 100644 --- a/common/src/main/java/org/onap/so/utils/CryptoUtils.java +++ b/common/src/main/java/org/onap/so/utils/CryptoUtils.java @@ -76,6 +76,8 @@ public final class CryptoUtils { * @throws GeneralSecurityException */ public static String decrypt(String message, String keyString) throws GeneralSecurityException { + if (message.equals(System.getenv("PLAINTEXTPASSWORD"))) + return message; SecretKeySpec sks = getSecretKeySpec(keyString); byte[] cipherText = hexStringToByteArray(message); Cipher cipher = Cipher.getInstance(AES_GCM_NO_PADDING); -- cgit 1.2.3-korg